Securing Web Applications in the LAMP Environment - Qualys

Most web application vulnerabilities can be exploited regardless of network and host security settings. This presentation demonstrates the steps that system administrators can take to minimize the impact to users and application owners of common web-based attacks such as SQL injection, cross-site scripting, and remote file include -- even when they do not have access or cannot change the site's code.

Even though vulnerabilities must be fixed in the application's source code, a securely deployed LAMP (Linux, Apache, MySQL^?, PHP) stack can minimize the scope of compromise. Attendees will not only be shown the latest trends in web-based exploits, but also learn how to apply often over-looked or misapplied Apache and MySQL^? configuration settings. Examples will include httpd.conf, mod_rewrite, mod_security, php.ini, and MySQL^?.

This presentation will step through the exploit of a common web application and examine the LAMP configurations that do and do not affect its security. This will enable system administrators to better understand where they should focus their security efforts.

Bio Mike Shema - Security Research Engineer, Qualys

Mike Shema is the co-author of Hacking Exposed: Web Applications, The Anti-Hacker Toolkit, and the author of Hack Notes: Web Application Security. He has extensive consulting experience with information security within a variety of industries. While his security background ranges across network penetration testing, wireless auditing, code review, and training, he primarily focuses on web application security. He currently works at Qualys, developing tools that automate the web application audit process.

Bio Matthew Wirges - QA Security Engineer, Qualys

Matt Wirges is a QA Security Engineer at Qualys where he focuses primarily on security issues with Qualys' pre-release web components and quality assurance of Qualys' other web capabilities. Prior to joining Qualys, Matt was a Lead IT Security and Privacy Analyst at Purdue University, where he developed a university-wide incident response program, the VSC, which is a web interface to a cluster of Nessus vulnerability scanners, and other duties included incident handling and risk analysis. Prior to this work, Matt was a web application developer writing applications in PHP, Perl, and Zope. He is a Certified Information Systems Security Professional and received a Bachelors of Science in Interdisciplinary Computer Science from Purdue University.

Presentation Slides

• penlug-presentation-23AUG07.pdf: Securing Web Applications in the LAMP Environment - Qualys

References/Resources

• Ajax “Worm” based on proof of concept by Anurag Agarwal http://myappsecurity.blogspot.com/2006/12/ajax-worm-proof-of-concept.html
  
• Web Application Security Consortium's Threat Classification http://www.webappsec.org/projects/threat/
  
• mod_security http://www.modsecurity.org
  
• PHP Security http://php-security.net
  
• MySQL Reference Documentation http://dev.mysql.com/doc/
  
• Apache Documentation http://httpd.apache.org/docs/
  
• selinux http://www.nsa.gov/selinux/
  
• CIS Apache Security Benchmark http://www.cisecurity.org/bench_apache.html